We have installed TFS 2010 with success but wonder how to set the users permissions. We are small projects with five developers, a manager and a secretary. Each developer is working itself with one or more projects, we have no cooperation between any projects. We want everyone to be able to see all the code for each project, but that only those who are responsible for the code to change it. However, we want everyone to create Work Items for all projects. How should we set this up?
In Visual Studio, go to Team Explorer (View - Team Explorer). Right-click the root node (servername\collectionname). Go to Team Project Collection Settings. Here you have 2 options; Security, and Group Membership. Use Security to choose which users/groups can do what. Use Group Membership to add/remove users from security groups. I would recommend creating a group with limited access and add everyone to it. Then, you can right-click on a project in team explorer, go to Team Project Settings -> Group Membership. Add that group to the Readers group so everyone can read that project. Then, add those responsible for the code to the Contributors group, or even the Project Administrators group if you want them to have more power.
You can use the TFS Admin tool: http://tfsadmin.codeplex.com.
It is an easy tool to set the permissions for TFS, SharePoint and SSRS.
For detailed information about TFS 2010 permissions you can check this http://msdn.microsoft.com/en-us/library/ms252587.aspx
If you want a user can read the codes you have to give him/her only Read permission and to avoid changing code you have to deny check out and check in permissions. You can set these permissions by right clicking the folder or file in Source Control Explorer, Clicking Properties and clicking Security tab.
For Work Items you have to give WORK_ITEM_WRITE and WORK_ITEM_READ permissions. You can do by right-clicking the project in Team Explorer, clicking Areas and Iterations, and on the Area tab, clicking Security
See the workaround I posted here - http://stackoverflow.com/questions/3446872/adding-active-directory-users-to-team-foundation-server/3872132#3872132
It will allow you to add users to your TFS 2010 project without having access to the remote domain (useful when you have remote developers or when your Team Foundation Server is remotely hosted.)
The steps include details about adding new users to your project groups.